Attack Campaign Created with Phishing Kit Tried to Steal Users’ Details Twice
Digital criminals launched an attack campaign in which they configured a phishing kit to try and steal users’ login credentials twice.
The Flow of the Redundant Attack Campaign
Researchers at Proofpoint first spotted this campaign in late July when they observed attack emails going after specific individuals in a variety of organizations with no single vector targeted. Each of those attack messages used a template stolen from electronic signature provider DocuSign to trick recipients into thinking there was a business agreement that required their signature. As such, the emails directed recipients to click on an embedded “View Documents” URL.
By clicking on the URL, users found themselves redirected to a landing page located at https://s3.us-east-2.amazonaws [.] com/docusign.0rwlhngl7x1w6fktk0xh8m0qhdx4wnbzz1w/t993zTVQwqXuQLxkegfz1CAUtcrGfe0bRm0V2Cn/eeu69zk7KqAmofMrHr6xrWgrKUoTrOn2BJhhnQg/eAzUroFtr7Gw9JrkWkX9.html. This page used DocuSign’s branding and overall format to trick recipients into authenticating themselves with their Office 365 credentials.
The attack didn’t end there. It was further observed that that the campaign redirected victims to a fake login portal for the webmail service for which they attempted to sign in on the DocuSign page. The attack ultimately used this second landing page to once again steal users’ credentials.
Getting a Closer Look
A closer look revealed that a phishing kit was responsible for the JavaScript encoding on the original phishing landing page. Its researchers noted that the kit also pulled resources from multiple websites containing “dancelikejoseph” in their domain names. Each of those domains used TLS certificates from Let’s Encrypt to add a sense of legitimacy, and they listed phasephaser@yandex.com as the registrant.
Proofpoint also found some interesting information about those responsible for the attack. As it explained in its research:
The actor engaging in this activity is not new to hosting on AWS, as we have observed it in similar low-volume campaigns throughout the year. All non-AWS domains have utilized “Let’s Encrypt” TLS certificates, and most appear to be registered with Russian domain registration services. While all phishing was hosted on AWS during this period, in some cases the actor used other public cloud infrastructure to host-specific resources for the landing pages.
Putting This Attack into Context
Attackers have a history of abusing Google Drive, Dropbox and other hosting services. Recently, they’ve taken a particular interest in leveraging Microsoft SharePoint, a document management and storage system platform. Back in August 2018, for instance, Avanan spotted one malspam campaign where fraudsters embedded phishing links into SharePoint files and not the attack emails themselves. Through this technique, the bad actors bypassed email security measures and better concealed their efforts to steal users’ Office 365 credentials. It was about a year later when Cofense spotted a phishing kit using a similar attack technique to target Office 365 users.
Digital criminals are also increasingly turning to phishing kits to aid them in their social attacks. In November 2018, McAfee Labs discovered malicious actors using a phishing kit called “16Shop” to target Apple account holders in the United States and Japan using an email with an attached PDF file, for example. Things haven’t improved thus far in 2019, either. As of July, Cyren’s research lab had turned up 5,334 new phishing kits that offered full-service subscriptions to wannabe criminals at $50 to $80 per month. The vast majority (87 percent) of those kits used evasive techniques, thus making their attacks all the more difficult to detect.
When taken together, fraudsters’ growing abuse of hosting services and use of phishing kits highlight the need for organizations to strengthen their email security. They can do so by investing in a security solution that’s capable of analyzing incoming emails for campaign patterns, suspicious URLs, malware signatures and other threat indicators. This solution should be able to provide insights in real time while letting legitimate messages through.